Re: how to test pki-realm script? Was [Re: owncloud and letsencrypt]
On sie 25, Damiano Venturin wrote:
Otherwise another acceptable solution would be to receive a
notification the first time that the scripts fails as there should
still be some days left before the certificates expire (eventually the
cron job could be daily to narrow down the time frame). I need to check
Letsencrypt doc to see how early they accept renewal.
Is there in place any notification mechanism or shall I look into the
script and eventually fire an email?
There's currently no mechanism. However, I think that the best solution would
be to add a mechanism of script hooks, similar to how external certificates
can now be handled via a custom script. The additional hooks could execute
scripts with a specific environment variables. Then you can add whatever
notification method you like - e-mail messages, SNMP traps, icinga
notifications, MQTT messages, and so on.
Perhaps hooking the PKI to something like a RabbitMQ event bus could help you
maintain ACME certs in a distributed environment - you use a shared private
key, one host takes the role of "renewal node" and other hosts listen to the
reneval event and get the new certificates that way. But that should probably
stay optional for now, not everybody wants to set up a RabbitMQ cluster.
If you want to, and you like bash, you can try and add something like that in
the 'pki-realm' script. Looking forward for the pull request. And if not,
perhaps this could be added when the 'pki' role is rewritten.
-- Maciej
Attachments:
- signature.asc (application/pgp-signature — 618 bytes)